From owner-freebsd-questions Sat Oct 13 0:28:11 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by hub.freebsd.org (Postfix) with ESMTP id C012137B40F for ; Sat, 13 Oct 2001 00:28:07 -0700 (PDT) Received: from xtremedev.com (xtremedev.com [216.241.38.65]) by mail.XtremeDev.com (Postfix) with ESMTP id 327A470614; Sat, 13 Oct 2001 01:28:06 -0600 (MDT) Date: Sat, 13 Oct 2001 01:28:06 -0600 (MDT) From: FreeBSD To: Nick Rogness Cc: Kenneth Wayne Culver , Michael Sierchio , Henrik Holmstam , Alfatrion , "Maine LOA List Admin (Brent Bailey)" , "Hartmann, O." , Subject: Re: IPFW or IPFILTER? In-Reply-To: Message-ID: <20011013011937.B75955-100000@Amber.XtremeDev.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On Fri, 12 Oct 2001, Kenneth Wayne Culver wrote: > > > I suppose another big reason that I started using ipfilter is it's > > performance... for me and for what we do through our FreeBSD router > > (with gaming through the nat) ipfw + natd just wasn't cutting it. > > I don't buy that...let's see some numbers people... No numbers from me. I've never done a performance compare between the two. Wouldn't mind seeing it though. > Since everyone is giving their opinions, I might as well share > mine as well. Even though, this conversation does not belong on > -stable. Hell, it doesn't even belong on -questions. More like > -chat or something. But anyway I'm a big IPFW fan because : > > 1) it is simple and straightforward. IPFILTER has ipf, ipfstat, > ipmon, ipnat...what a head-ache. IPFW has ipfw... ipf and ipfstat shows more info than ipfw alone. ipmon is a whole 'nother program, doesn't really fit into the comparison. Like adding in ngrep or something. And ipnat controls nat, what natd does for ipfw. So the only "complexity" is ipfstat which gives stat info. Big whup. > 2) IPFW can bring packets out of the Kernel into userland via > divert...this can be a very powerful interface that only a few > things use that I know of, one of them being natd. Of course, > this could be dangerous too. No comment on this one. Powerful yes, dangerous possibly. Performance hit? > 3) It comes as a kernel module. I'm tired of building a kernel on > every machine to enable IPFILTER. IPF is available as a kernel module. /modules/ipl.ko. Need to load it on a GENERIC system? kldload ipl.ko. > 4) Bandwidth control ipf is lacking in this respect. I would rather see AltQ or some other standard thing (doesn't KAME use AltQ? Isn't that part of FreeBSD base now?) though, than something more to bloat ipf code. > 5) Bridging firewalls Being worked on. As someone else have pointed out, ipf has supported bridging on other systems for a long time, it's just been lacking proper support in FreeBSD. Not trying to flame, but thought I'd toss in my two cents. The point is that it's great to have a choice, and you use the firewall with the feature set that best fit your needs. Or both if you prefer the combination. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message